dilim/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-06-24 08:48:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

avformat/matroskadec: Check audio.sub_packet_h * audio.frame_size

Browse Source 
Reject block_align larger than the sub_packet_h * frame_size buffer to
avoid a heap out-of-bounds write when deinterleaving RealAudio subpackets.

(cherry picked from commit 20fc83fa5b... adapted to 4.4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-06-21 17:53:08 +02:00
parent 9bca18ebcd
commit fd12ac8101
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavformat/matroskadec.c
View File

@@ -2708,6 +2708,10 @@ static int matroska_parse_tracks(AVFormatContext *s)
st->codecpar->block_align = track->audio.sub_packet_size;
extradata_offset = 78;
}
if (st->codecpar->block_align <= 0 ||
track->audio.sub_packet_h * (unsigned)track->audio.frame_size > INT_MAX ||
track->audio.frame_size * track->audio.sub_packet_h < st->codecpar->block_align)
return AVERROR_INVALIDDATA;
track->audio.buf = av_malloc_array(track->audio.sub_packet_h,
track->audio.frame_size);
if (!track->audio.buf)